Secure. Anytime. Anywhere.

Transcription

1 Secure. Anytime. Anywhere. TM Mobile Device Management User Manual Version Copyright 2016, All Rights Reserved.

2 Notices and Information Notices and Information Please be aware of the following points before using Mobile Device Management Copyright 2016 Kanguru Solutions. All rights reserved. Windows 7 TM, Windows 8 TM, Windows 10 TM are registered trademarks of Microsoft Inc. All other brands and product names are trademarks of their respective companies and organizations. Kanguru Solutions will not be held responsible for any illegal use of this product nor any losses incurred while using this product. The user is fully responsible for any illegal actions taken. Customer Service To obtain service or technical support for your system, please contact Kanguru Solutions Technical Support Department at , or visit for web support. Legal notice In no event shall Kanguru Solutions liability exceed the price paid for the product from direct, indirect, special, incidental, or consequential software, or its documentation. Kanguru Solutions offers no refunds for its products. Kanguru Solutions makes no warranty or representation, expressed, implied, or statutory, with respect to its products or the contents or use of this documentation and all accompanying software, and specifically disclaims its quality, performance, merchantability, or fitness for any particular purpose. Kanguru Solutions reserves the right to revise or update its products, software, or documentation without obligation to notify any individual or entity. Export Law Compliance Regardless of any disclosure made to Kanguru Solutions pertaining to the ultimate destination of the specific Kanguru product, you warrant that you will not export, directly or indirectly, any Kanguru product without first obtaining the approval of Kanguru Solutions and the appropriate export license from the Department of Commerce or other agency of the United States Government. Kanguru Solutions has a wide range of products and each product family has different license requirements relative to exports. 2

3 End User License Agreement End User License Agreement This legal document is an agreement between you, the end user ( Licensee ), and Kanguru Solutions, a division of Interactive Media Corporation ( Licensor ). By downloading or obtaining and using this software, you are consenting to be bound by the terms of this agreement, which includes the software license and software disclaimer of warranty. This agreement constitutes the complete agreement between you and licensor. If you do not agree to the terms of this agreement, cease to use the product immediately and destroy any copies that you have made. SOFTWARE LICENSE The software shall be taken to mean the software contained in this package, downloaded from Licensor s website, or included within a hardware device and any subsequent versions or upgrades received as a result of having purchased this package. Licensee shall be taken as the original purchaser of the software. Licensee has the non-exclusive right to use the software only on a single computer. Licensee may not electronically transfer the program from one computer to another over any type of network. Licensee may not distribute copies of the software or the accompanying documentation to others either for a fee or without charge. Licensee may not modify or translate the program or documentation. Licensee may not disassemble the program or allow it to be disassembled into its constituent source code. This software is licensed only to you, the Licensee. You may not permit non-licensees to use or install it on computers or networks other than explicitly specified in this license without the prior written consent of Licensor. This license does not entitle you to any future upgrades or updates of software or configuration files, although Licensor may decide to make such upgrades or configuration file updates available with or without an associated fee. Licensee s use of the software indicates his/her acceptance of these terms and conditions. If Licensee does not agree to these conditions, then he or she must return any distribution media, documentation, and associated materials to the vendor from whom the software was purchased, and erase the software from any and all storage devices upon which it may have been installed or otherwise stored. DISCLAIMER OF WARRANTIES The software is provided on an AS IS basis, without warranty of any kind, including without limitation the warranties of merchantability, fitness for a particular purpose, and non-infringement. The entire risk as to the results and performance of the software is assumed by you, the Licensee. If the software is defective, you, and not Licensor or any distributor, agent or employee of Licensor assumes the entire cost of all necessary servicing, repair, or correction. 3

4 End User License Agreement LIMITATION OF DAMAGES In no event shall Licensor, or anyone else who has been involved in the creation, distribution, or delivery of this product be liable for any direct, indirect, special, punitive, exemplary, consequential or incidental damages (including but not limited to damages for loss of business profits, business interruption, loss of business information, and the like) arising out of the use or inability to use such product even if Licensor has been advised of the possibility of such damages. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. Security safeguards, by their nature, are capable of circumvention. Kanguru cannot, and does not, guarantee that data or devices will not be accessed by unauthorized persons, and Kanguru disclaims any warranties to that effect to the fullest extent permitted by law. COPYRIGHT RESTRICTIONS This software and any accompanying materials are copyrighted. Unauthorized copying of this software or of any of the textual materials accompanying it is expressly forbidden. You may not modify, adapt, translate, reverse engineer, decompile, disassemble (except to the extent applicable laws specifically prohibit such restriction), or create derivative works based on the software. EXPORT RESTRICTIONS You agree that you will not export the software to any country, person or entity subject to U.S. export restrictions. ENTIRE AGREEMENT This written End User License Agreement is the exclusive agreement between you and Licensor concerning the software and supersedes any and all prior oral or written agreements, negotiations or other dealings between us concerning the software. This License Agreement may be modified only by a writing signed by you and Licensor. This agreement is subject to the laws and jurisdiction of the courts of the Commonwealth of Massachusetts, USA. If a court of competent jurisdiction invalidates one or more of the terms of this contract, the surviving terms continue in force. This License Agreement is effective upon the earlier of your (1) use of the software; or (2) your manifesting assent to these terms as by clicking on the I Agree button shown when you downloaded or installed the software. 4

5 Table of Contents Table of Contents 1. Introduction What is Endpoint Protector Activation of Mobile Device Management Activation of Mobile Device Management Feature How Endpoint Protector MDM Works Supported Operating Systems and devices MDM Setup APNS (Apple) and GCM (Google Android) Setup of APNS for ios What is an Apple APNS Certificate and why do I need it? How to generate your Apple APNS Certificate? Renew an Apple APNS Certificate before expiration Setup of GCM for Android What is GCM (Google Cloud Messaging) and why I need it? How to get your Google API Key for GCM and Maps Entering Google API Key and Project Number in Endpoint Protector How to get your Google API Key for GCM and Maps Entering Google API Key and Project Number in Endpoint Protector Google C2DM ios EPP MDM App EPP MDM ios App Supported ios Versions EPP MDM ios App to locate devices EPP MDM ios App to enroll devices (optional) EPP MDM ios App Device Information Installing the EPP MDM ios App Allow Location Services for EPP MDM ios App Pushing and Managing EPP MDM App to ios Devices Android Endpoint Protector MDM Client App EPP MDM Android Client App Supported Versions The Android EPP Client App EPP Client Android App to enroll devices Install EPP Client App on Android and Enrolling Android Device Enrolling Mobile Devices Different Enrollment Methods Mobile Device Enrollment ios and OS X Enrollment and Profile Protection ios and OS X Profile Protection Deletion Passphrase Sending or SMS Enrollment Invitation (ios/os X / Android) SMS Enrollment Number Format (ios / Android) Enrollment Invitation (ios/os X / Android) SMS Enrollment Invitation (ios / Android) ios and OS X Mobile Device Enrollment over URL ios Mobile Device Enrollment through EPP MDM App Android Device Enrollment Bulk Enrollment Managing Mobile Devices Mobile Device Status Available Options

6 9. Manage ios Devices Security Settings (security Profile) on ios Password / Passcode Setting on ios Device Clear Passcode (No more password required) ios Device Hardware Encryption Restrictions (Restrictions Profile) on ios Restricting ios Features Restricting ios Applications icloud restrictions / Photo stream restrictions Security and Privacy Restrictions Content Rating Restrictions ios7 Restrictions Supervised Device Restrictions Remote ios Lock of Device Remote ios Device Wipe (Device Nuke) ios Disable Device Password / Passcode Device Ownership Voice Roaming on ios Data Roaming on ios Profile Removal Policy for ios Devices Refresh Device Details for ios Refresh App List for ios Installed Apps on ios Refresh Profile List on ios Profiles on ios Devices Information Remove Profile from ios device Manage Wifi on ios Wipe Wi-fi Settings Manage Mail on ios Wipe Settings Manage VPN on ios Manage APN settings on ios Manage Cellular Settings on Supervised ios 7 devices App Lock on Supervised ios 7 devices History of ios Devices Actions Contacts and Accounts Tab on ios Devices Manage OSX Devices Security Settings (Security Profile) on OS X Password / Passcode Setting on OS X Device OS X Device Hardware Encryption File Vault 2 Disk Encryption on OS X Disk Encryption Status Remote Lock of Device Remote OS X Device Wipe (Device Nuke) Device Ownership Profile Removal Policy for OS X Devices Refresh Device Details for OS X Refresh App List for OS X Installed Apps on OS X Refresh Profile List on OS X Profiles on OS X Devices Information Remove Profile from OS X Device Manage WiFi in OS X Wipe Wi-fi Settings Manage Mail on OS X Wipe Settings Manage VPN on OS X History of OS X Devices Actions

7 11. Manage Android Devices Security Settings (Security Profile) on Android Password / Passcode Setting on Android Device Device Password Android Device Hardware Encryption Request Storage Encryption Remote Android Lock of Device Remote Android Device Wipe (Device Nuke) Android Remote Wipe of SD-Card Device Ownership Android Device Location Settings Location Accuracy Fine on Android Location Cost Allowed on Android Manage Wifi Manage Bluetooth Manage Camera on Android Play Sound on Device for Android Refresh Google Accounts for Android Refresh Device Details for Android Refresh App List for Android Manage Calendar Events Installed Apps on Android Removing Installed Apps on Android Get Contacts on Android Get Accounts on Android History of Android Device Actions Manage WiFi, Manage Mail, Profiles on Android Mobile Application Management (MAM) for ios Adding Apps to your Managed Apps Catalog Searching for Apps Adding Apps to Managed Apps Catalog Adding Enterprise Apps to Managed Apps Catalog Editing App Management Options Managed Paid Apps Pushing Apps to ios Devices Update Managed Apps / Changing Settings Removing Managed Apps from ios Devices Android Application Management Adding Apps to your Managed Apps Catalog Editing App Management Options Pushing Apps to Android Devices Removing Managed Apps from Android Devices Policy Builder for ios, OSX or Android Devices Create a Policy for ios, OS X or Android Devices Assigning Devices to Policy Unmanage a Mobile Device / Uninstall App ios and OS X Device Unmanage by Administrator (over-the-air) ios Uninstall / Unmanage by User (on Device) OS X Uninstall / Unmanage by User (on Device) Uninstall ios EPP MDM app Android EPP Client App Uninstall / Unmanage Android Device

8 16. Installing the Root Certificate to Your Internet Browser For Microsoft Internet Explorer For Mozilla Firefox Terms and Definitions Server Related Client Related Support

9 Introduction 1. Introduction In the past few years, mobile devices have invaded business environments. Personal or company owned smartphones and tablets are used on a daily basis by employees to store and access their company s, sales reports etc. everywhere they go. The wide adoption of the BYOD (Bring-Your-Own-Device) model by companies worldwide led to the use of more personal mobile devices by employees for storing business information together with private data such as photos and music. This trend raised new issues for IT administrators, who are now faced with the challenge of protecting sensitive company data not only inside the secured company network, but also everywhere it is taken on mobile company endpoints. At the same time, a separation of close monitoring of company information from personal data must be imposed. To face the security challenges presented by increased mobility in business environments, Mobile Device Management by Endpoint Protector (referred to simply as MDM throughout this document) enables complete control and detailed monitoring over the use of mobile devices both inside and outside corporate environments, allowing employees to have secure access to both corporate and private data wherever they are and on whatever device they are using without business critical information being compromised. 9

10 Introduction 1.1 What is Endpoint Protector Endpoint Protector is a complete Data Loss Prevention solution for company networks of all sizes, enabling detailed control over removable, mobile storage media and mobile devices both inside and outside the companies walls. Endpoint Protector comprises three separate modules, which when combined provide next generation security for your endpoints: Mobile Device Management: Closely controls and monitors your entire mobile device fleet through dedicated MDM policies, protecting sensitive company data while permitting a degree of freedom for personal information. Once integrated in a company or enterprise network, it ensures a highly secure working environment for companies adopting and using a BYOD model. Device Control: Enforces strong security policies for controlling and closely monitoring all portable storage devices used inside the company network. Once deployed within a company s network, the Device Control modules reduces the risks of data loss and data theft through unauthorized use of removable and mobile devices through USB, etc.. Content Aware Protection: Allows defining custom content aware policies for detailed inspection, detection and reporting of all sensitive content transfers outside the secured network. Once enabled, the Content Aware Protection module scans all possible exit points and ensures that no critical data leaves the company network either by transfers via removable media or directly via , file sharing applications or to the cloud. 10

11 Activation of Mobile Device Management 2. Activation of Mobile Device Management The Mobile Device Management feature enables administrators to remotely control and enforce strong security policies on ios / Apple and Android devices. With options such as remote data wipe, device tracking and blocking, MDM offers enhanced protection against data theft and data loss, considerably reducing the risks that come with increased mobility in business environments. 2.1 Activation of Mobile Device Management Feature Mobile Device Management comes as an optional feature for Endpoint Protector that requires a separate yearly subscription, based on the number of protected mobile devices. By default, the feature is deactivated inside the Endpoint Protector Reporting and Administration interface. The Mobile Device Management feature requires an internet connection for the Endpoint Protector Appliance. The feature can be enabled by simply selecting the Mobile Device Management option from the left-side menu and clicking on the Enable Feature button. Activating this feature will require a working internet connection on Endpoint Protector Server/ Appliance. Additionally, the initiator of the activation request will have to provide company details such as Company Name, Contact Person Name and Contact Details, which will be sent to the Endpoint Protector Licensing Server. Kanguru will use this information only for validation purposes only and it will not imply subscribing to any newsletter or sharing information with any third party. Once the request is processed and approved, the feature will be enabled by Kanguru. A notification will be sent to the validated address and a trial period for the feature will be activated. Please make sure your Firewall will have whitelisted for you to receive all communication. A yearly subscription can be purchased to continue using all the functionalities of the Mobile Device Management feature. 11

12 How Endpoint Protector MDM Works 3. How Endpoint Protector MDM Works For Endpoint Protector Mobile Device Management to be able to manage your mobile ios and Android devices, communication between the devices and the Endpoint Protector Appliance over an internet connection is vital. Management actions need to arrive at your device either by a data connection like 3G in case of an iphone or over an internet connection if the device does not have a data connection like a Wi-Fi only ipad, Android tablet or MacBook. For the management actions to arrive at the device, the actions are sent using Apple Push Notification Service (short APNS) for ios devices and the Google Cloud Messaging Service (short GCM) for Android devices. To simplify the setup of your Endpoint Protector MDM service, the Endpoint Protector Cloud communicates between your Endpoint Protector Appliance (the Administration and Management Server) and the Apple/Google Services for your devices. For communication to work between your mobile devices and Endpoint Protector, it is required that you setup the APNS and GCM settings as described in the following steps. 3.1 Supported Operating Systems and devices The supported mobile device operating systems are: ios7 (iphone and ipad), ios6 (iphone and ipad), ios5, ios4 OS X Android 2.2+ (Codename Froyo) or newer versions A list of supported Android mobile devices is not provided due to the large number of devices from different manufacturers. Generally, Android devices with Android Operating version 2.2 and newer are supported. 12

13 MDM Setup APNS (Apple) and GCM (Google Android) 4. MDM Setup APNS (Apple) and GCM (Google Android) You are required to configure some settings before you can use the Endpoint Protector MDM features for ios and Android. The following sections describe the steps for configuring the settings needed to establish communication between your mobile devices and Endpoint Protector. Important! For Endpoint Protector Administrators that want to use the MDM Functionality only with Android devices, the Apple APNS Setup (required for MDM with ios) is NOT REQUIRED. If you want to use Endpoint Protector MDM with ios and Android devices, the setup of both GCM (Google Cloud Messaging for Android) and Apple APNS is required. 13

14 MDM Setup APNS (Apple) and GCM (Google Android) 4.1 Setup of APNS for ios What is an Apple APNS Certificate and why do I need it? In order to use the MDM features provided for ios, an Apple Push Notification Service (short APNS) certificate is required by Apple Inc. Receipt of the Apple issued and signed certificate is up to Apple Inc. s own discretion. Apple APNS is a certificate that is signed by Apple to clearly identify what ios devices are communicating with your Endpoint Protector Appliance in order to ensure that only your company s own devices receive commands from Endpoint Protector MDM. 14

15 MDM Setup APNS (Apple) and GCM (Google Android) How to generate your Apple APNS Certificate? The APNS Certificate can be generated in just a few simple steps from Mobile Device Management APNS Certificate Setup (Apple). Important! We recommend performing these steps on a Safari or Mozilla Firefox browser. Use of Internet Explorer for this step is known to cause the process to fail. 1. In the Endpoint Protector Administration Interface, go to Mobile Device Management and select APNS Certificate Setup (Apple) setup and complete enrollment for the Apple Push Notification Certificate. 2. Fill in the required details and click on the Download signed CSR button to get the Code Signing Request (CSR) file signed by Kanguru. 15

16 MDM Setup APNS (Apple) and GCM (Google Android) 3. In a different browser window (again, Firefox or Safari browser, not Internet Explorer) open the following link to the Apple Push Certificates Portal 4. Login to the Apple Push Certificates Portal using your Apple ID and follow the steps provided there. 5. Click Create a Certificate and agree to the Apple Terms of Use. 6. Select your signed CSR (downloaded in step 2) and click Upload to the Apple Push Certificates Portal. Your certificate will be available for download in just a few moments. 7. Download the Certificate from the Apple Push Certificates Portal to your computer. 8. Upload the APNS certificate from the previous step to the Endpoint Protector MDM Setup. After the upload is successfully performed, setup of Endpoint Protector Mobile Device Management is finalized for ios. You can now start enrolling ios devices by sending invitations to them either by or SMS or through the other supported enrollment methods as described in chapter 7 Enrolling Mobile Devices on p

17 MDM Setup APNS (Apple) and GCM (Google Android) Renew an Apple APNS Certificate before expiration The Apple APNS certificate must be renewed periodically with Apple before its expiration date to avoid losing control over the managed ios and OS X devices or having to re-enroll all devices. Please check the expiration date of your APNS certificate in the Endpoint Protector interface. The APNS certificate can be renewed in just a few simple steps from the Mobile Device Management APNS Certificate Setup (Apple) in Endpoint Protector. Note: If your APNS certificate expires or is revoked, it will result in unmanaged ios and OS X devices. Managing a device after an APNS certificate expires requires re-enrollment of the ios or OS X device. Note: We recommend performing these steps on a Safari or Mozilla Firefox browser. Use of Internet Explorer for this step is known to cause the process to fail. 1. In the Endpoint Protector Administration Interface, go to Mobile Device Management and select APNS Certificate Setup (Apple). 2. Renew your APNS Certificate before it expires by checking the expiration date as mentioned in the interface. 3. Follow the same steps as you did in the initial enrollment process. Click on Download signed CSR to get the Code Signing Request (CSR) file. Save the file on your computer. 17

18 MDM Setup APNS (Apple) and GCM (Google Android) 4. In a different browser window (again, Firefox or Safari browser, not Internet Explorer) open the following link to the Apple Push Certificates Portal: 5. Login to the Apple Push Certificates Portal using your Apple ID (previously used to request the APNS Certificate) and follow the steps provided there. 6. Click Renew. 7. After clicking Renew, you are prompted to upload the Code Signing Request (CSR) from step 3 that you saved on your computer. Select your signed CSR and click Upload to the Apple Push Certificates Portal. Your certificate will be renewed after a few moments and you will see the Expiration date is updated. 18

19 MDM Setup APNS (Apple) and GCM (Google Android) 8. Download the Certificate from the Apple Push Certificates Portal to your computer by clicking Download. 9. The APNS certificate from the previous step has to be uploaded to the Endpoint Protector/My Endpoint Protector MDM Setup. After the upload is successfully performed, your APNS renewal for the Mobile Device Management is finalized. Please check if the expiration date of the APNS certificate in Endpoint Protector/My Endpoint Protector was updated to the renewed date. 19

20 MDM Setup APNS (Apple) and GCM (Google Android) 4.2 Setup of GCM for Android To use Mobile Device Management features for Android devices, it is required that you provide an API key from Google. This API key is also required if you want to see device locations (using Google Maps) for Android and ios devices in the Locate Mobile Device View of Endpoint Protector What is GCM (Google Cloud Messaging) and why I need it? A GCM API Key (Google Cloud Messaging for Android) is required to use the MDM features provided for Android. GCM is necessary to establish communication between an Android mobile device and Endpoint Protector and issuance to you is up to Google/Androids own discretion. For more info about Google Cloud Messaging for Android, please refer to: For more info about Google Maps API, please refer to: How to get your Google API Key for GCM and Maps Visit the following site, Google Cloud Console, and login with your company s Google account. Please note that the old method can still be used by those who prefer it. When you log in with your Google account to the console, you have the option to revert to the old style. To setup GCM with the old method, see sections How to get your Google API Key for GCM and Maps on p.23 and Entering Google API Key and Project Number in Endpoint Protector on p If you login to the Google Cloud Console for the first time you will be asked to CREATE PROJECT. Select this option and give the project a name. The Project will be given a Project Number by Google which you also need to enter in the Endpoint Protector interface as described in the next section. 2. In the left menu go to APIs & auth > APIs. 20

21 MDM Setup APNS (Apple) and GCM (Google Android) 3. Make sure the following three Google Services have ON status (green): Google Cloud Messaging for Android Google Maps API v3 Static Maps API To enable these three services toggle the status to ON. 4. Register a new APP. Give it a name, and select the Web Application platform. 5. You can now locate your API key under the Server Key section. The API key has the following format (Example API key): ExamplE67QWuu26-5j6WEEfWqgqYYouW On the Google Cloud Console Site in Projects > APIs & auth > Registered apps > Server Key > ALLOWED IP ADDRESSES you can add IP addresses that are allowed to use your API keys. We recommend that you add the following two domains: cloud.endpointprotector.com endpointprotector.com 7. Copy the Google API key as described in the next section in the Endpoint Protector interface. 21

22 MDM Setup APNS (Apple) and GCM (Google Android) Entering Google API Key and Project Number in Endpoint Protector After you have obtained your Google API Key please enter it together with the Google Project Number in the Endpoint Protector Interface. The Google Project Number you find on the Google Cloud Console Site under Projects > Overview > Project Number. Add them at Mobile Device Management > GCM/Maps Setup (Google). After entering/copying the API Key and the Google Project Number, click the Save button. After completing these steps you can start enrolling Android devices to Endpoint Protector Mobile Device Management. 22

23 MDM Setup APNS (Apple) and GCM (Google Android) How to get your Google API Key for GCM and Maps Visit the following Google Site Google APIs Console and login with your company s Google account If you login to the Google APIs Console for the first time you will be asked to Create project. Select this option and give the project a name. The Project will be given a Project Number by Google, which you will need to enter in the Endpoint Protector interface as described in the next section. 2. In the left menu on the Google APIs Console Site go to Services. 3. Make sure the following two Google Services both have an ON status (green): Google Cloud Messaging for Android, Google Maps API v3. To enable these two services toggle it to the status ON, Google will ask you to agree to their Terms of Service/End User License Agreement. 23

24 MDM Setup APNS (Apple) and GCM (Google Android) 4. You can now locate your API key in the left menu on the Google APIs Console Site under API Access > Simple API Access > API key. The API key has the following format (Example API key): ExamplE67QWuu26-5j6WEEfWqgqYYouW On the Google APIs Console Site in API Access > Simple API Access you can also add referrers that are allowed to use your API keys, and we recommend you to add the following two. Do this by clicking on the right side next to the API key on Edit allowed referrers and add in separate lines: cloud.endpointprotector.com endpointprotector.com 6. Copy the Google API key as described in the next step in the Endpoint Protector interface. 24

25 MDM Setup APNS (Apple) and GCM (Google Android) Entering Google API Key and Project Number in Endpoint Protector After you have obtained your Google API Key please enter it together with the Google Project Number in the Endpoint Protector Interface. The Google Project Number you find on the Google APIs Console Site under Overview > Project Number. Add them at Mobile Device Management > GCM/Maps Setup (Google). After entering/copying the API Key, click Save API Key. Now enter the Google Project Number and click Save Project Number. After completing these steps you can start enrolling Android devices to Endpoint Protector Mobile Device Management Google C2DM C2DM for Android is not supported by Endpoint Protector anymore. 25

26 ios EPP MDM App 5. ios EPP MDM App The EPP MDM ios app is a free app for ios available on the Apple App Store. The EPP MDM app is compatible with iphone and ipad. It is an optional app and not a requirement to use Endpoint Protector MDM for ios. The EPP MDM app has two functions: first to locate the device and second to use the app optionally as a way to enroll an ios device to Endpoint Protector Mobile Device Management. 5.1 EPP MDM ios App Supported ios Versions The EPP MDM app for ios supports ios versions 7.0, 6.0 and 5.0. ios version 4.0 is not supported by the EPP MDM ios app due to missing support for required features. 5.2 EPP MDM ios App to locate devices The EPP MDM app allows the ios device to provide location data of the device to the Endpoint Protector Appliance in order to determine the current location of an ios device in case it is misplaced, lost or stolen. To locate an ios device the EPP MDM app is a necessity on the ios device. 5.3 EPP MDM ios App to enroll devices (optional) The EPP MDM app allows the ios device to enroll as described below at ios Mobile Device Enrollment through EPP MDM app. The EPP MDM app is not required for enrollment, it is simply an optional method of enrolling a device to Endpoint Protector Server. 5.4 EPP MDM ios App Device Information The EPP MDM app also detects device details and if a device was tampered with ( Jailbroken Status). 26

27 ios EPP MDM App 5.5 Installing the EPP MDM ios App The EPP MDM app for ios is available on the Apple App Store here: Downloading and installing the application can be done directly on the ios device by accessing the App Store on the device and entering EPP MDM in the search bar. The search result will show you EPP MDM by Kanguru. Click on the FREE button followed by INSTALL APP. After that the EPP MDM app will be downloaded and installed on your device. To start the EPP MDM app simply locate it on your ios device home screen and click to start it. 27

28 ios EPP MDM App 5.6 Allow Location Services for EPP MDM ios App After starting the EPP MDM ios app the user will be asked EPP MDM would like to use your current location. The user has to select OK to allow Location Services. If this setting is not made correctly to allow the ios EPP MDM app will not be able to report location information. This setting can be checked on the ios device in the following location: ios device home screen > Settings > Privacy > Location Services Location Services has to be set to ON and EPP MDM set to ON as well. Next to the ON button, a small compass needle icon will be displayed. 5.7 Pushing and Managing EPP MDM App to ios Devices The EPP MDM app can be pushed to and managed by any supported and managed ios device. For details on how to push the EPP MDM app to an ios device, refer to section 12.4 Pushing Apps to ios Devices on p

29 Android Endpoint Protector MDM Client App 6. Android Endpoint Protector MDM Client App The Android Endpoint Protector MDM Client app is a free app for Android devices and is available on the Google Play Marketplace here: The Android EPP Client app is mandatory for use of Endpoint Protector MDM with Android devices. 6.1 EPP MDM Android Client App Supported Versions The EPP MDM app for Android is compatible with Android devices using Android Version 2.2 (Codename Froyo) or newer. 6.2 The Android EPP Client App The Android EPP Client app allows the Android device to provide Endpoint Protector MDM with management rights. It also offers location data of the device to the Endpoint Protector Appliance in order to determine the current location of an Android device in case it is misplaced, lost or stolen. 6.3 EPP Client Android App to enroll devices The Android EPP Client app is required for enrollment of an Android mobile device to an Endpoint Protector Appliance. 29

30 Android Endpoint Protector MDM Client App 6.4 Install EPP Client App on Android and Enrolling Android Device After receiving the enrollment invitation or SMS, click on the link provided in the or SMS. 1. Choose to open the link with the default browser on your Android device. In this case (screenshot above) the choice for native browser is the option Internet, not Dolphin or any other browser that might be installed on your Android device. 2. The web browser will open the enrollment site that already includes your registration data consisting of an MDM ID and your One Time Code (OTC). Click Connect to proceed. 30

31 Android Endpoint Protector MDM Client App 3. In the next step the device user has to click on the Endpoint Protector Client link. Then a download of the EPP Client app will begin. 4. The download of the eppclient.apk (name of the EPP Client Android app download file) should complete quickly, depending on your data connection speed, since the eppclient.apk file is small. 5. Locate the eppclient.apk file in the download folder on your device. 31

32 Android Endpoint Protector MDM Client App 6. Click on eppclient.apk and select Install. The EPP Client will start to install itself on the Android device. 7. After the installation you will see a message indicating the installation is finished. Click Done to complete the final steps for your Android device enrollment. 32

33 Android Endpoint Protector MDM Client App 8. Go to Applications on your Android device. Locate the EPP Client and start it. 9. Once the EPP Client starts, you will need to enter your name and your phone number. If the device has no phone number, provide your mobile number for the Administrator to easier link your device with you as a user. Click Next after you have completed the fields. 33

34 Android Endpoint Protector MDM Client App 10. Now the question regarding device administration will appear, which needs to be confirmed by clicking Activate. Attention! If you do not enable this option, then the Android mobile device cannot be remotely administrated / managed. 11. Now you will see the message EPP Client Successfully registered to Google GCM or C2DM. This means that your Android device is now enrolled. 34

35 Android Endpoint Protector MDM Client App 12. The settings Location Accuracy Fine and Location Cost Allowed can be selected. Click Done to complete the enrollment process. These two settings are described in sections Location Accuracy Fine on Android on p.91 and Location Cost Allowed on Android on p

36 Enrolling Mobile Devices 7. Enrolling Mobile Devices Enrolling Mobile Devices means establishing a connection for communication and management between the Endpoint Protector Appliance and your mobile devices. It is the process of inviting, registering and connecting the device with your Endpoint Protector Appliance. To enroll mobile devices, it is required to have the setup for either APNS (for ios and OS X) or GCM (for Android) finalized as described in chapter 4 MDM Setup APNS (Apple) and GCM (Google Android) on p.13. If the Setup for APNS or GCM is not finalized, then the Endpoint Protector Appliance will not give you access to Enroll Devices. 36

37 Enrolling Mobile Devices 7.1 Different Enrollment Methods A mobile device can be enrolled by: Accessing a link in the invitation sent to the device Scanning a QR code contained in the invitation for a device Accessing a link contained in the invitation SMS sent to the device Directly accessing a link through the native web-browser on the device and completing the Endpoint Protector ID and OTC fields For ios devices the link is: For OS X devices the link is: For Android devices the link is: Downloading and installing the EPP MDM app on an ios, OS X or Android device and completing the Endpoint Protector ID and OTC fields Attention! Enrollment of ios and OS X devices should be done through the Safari browser on your ios and OS X device. Other browsers are not supported. For Android devices enrollment should be done through the native web browser on the device. 37

38 Enrolling Mobile Devices 7.2 Mobile Device Enrollment To be able to manage mobile phones and tablets, each device must be enrolled by going to Mobile Device Management > Enroll Devices. In the Enrollment window under Mobile Device Management Information, the MDM ID that corresponds to your appliance is displayed, which will be further used as a parameter for enrolling mobile devices. Additionally, you can check the exact number of mobile devices enrolled at the moment. The enrollment of ios, OS X and Android devices is similar in many ways. There are different enrollment options for each mobile device type available. The first two options allow the sending of and SMS based invitation requests to mobile devices, invitations which include short instructions that are required for the end users of the device to perform. Sending of invitations can be performed by clicking on the Send Request button, while SMS based invitations can be performed by clicking on the Send SMS Request button. The Bulk Enrollment feature allows the administrator to send mass enrollment requests with just a few clicks. The administrator must create a contact list, either by pasting it into the contacts list field or by importing it. After the contacts are added they will appear in the interface, and by clicking the Add to Sending Queue button the Bulk Enrollment process can be started and invitations will be sent to all contacts (more on Bulk Enrollment in section Bulk Enrollment on p.48). In order to ensure that a mobile device is properly and securely enrolled, there are two keys required during the enrollment process: MDM ID Uniquely identifies your Endpoint Protector Appliance/Server. OTC (One-Time-Code) Allows only invited devices to be enrolled on your Endpoint Protector Appliance/Server. The OTC will expire after one use. Uninstallation Passphrase (applies to ios and OS X) Allows the device to be unmanaged / uninstalled. The uninstallation option for ios and OS X has to be chosen at enrollment time. 38

39 Enrolling Mobile Devices The MDM ID can be found in the Reporting and Administration web interface at: Mobile Device Management > Enroll Devices > Mobile Device Management Information These invitations, in case of an unknown device type and request, will include three different registration links for the different types of devices (ios, OS X and Android), which readily include the MDM ID and OTC. In case of an unknown device type and SMS request, the invitations will include two different registration links for ios and Android, which already hold the MDM ID and OTC. While the MDM ID is used for all enrolled mobile devices, different OTCs must be used for enrolling each mobile device. The Mobile Device Management feature comes with 10 pre-generated OTCs available in the Enrollment window. The Request More OTC option will allow the Administrator to generate more OTCs. Once an or SMS based invitation request is sent, an OTC will be automatically assigned to the user requesting the enrollment of his device and it will be automatically removed from the list of available OTCs. To verify which OTC was assigned to each device and user, the administrator can click on the View Sent Invitations button, which will display a list of all used OTCs with the corresponding addresses and/or phone numbers where they were sent to. View Available OTC returns the administrator to the list of unassigned OTCs. The third enrollment method allows the end user to directly enroll a mobile phone through the Endpoint Protector Cloud Service, which can be accessed at two separate links, one for each supported mobile device operating system. This option requires that the user has already received the MDM ID and OTC keys from the administrator. In this case, the administrator must reserve one OTC from the list for the user making the request, using the Reserve right-click menu option. This operation will remove the selected OTC from the list of the available OTCs and move it to the list of already sent invitations. 39

40 Enrolling Mobile Devices ios and OS X Enrollment and Profile Protection When an ios or OS X device is enrolled the Administrator has the option to protect the policy/ settings (called Profiles on ios and OS X) against uninstallation. When an ios or OS X device is enrolled, it receives an enrollment profile which is responsible for communication between the device and the Endpoint Protector Appliance. This enrollment profile is not protected against uninstallation but all additional profiles attached to the enrollment profile can be protected against uninstallation. This means the restriction profile cannot be uninstalled from the device without the passcode that is protecting it, but the enrollment profile can be uninstalled which also will uninstall the restriction profile. The Profile Protection options are: Always Allow Removal Allows the user to remove a profile at any time. Never Allow Removal Allows removal of a profile only through the Endpoint Protector Appliance Administrator. Passphrase Required for Removal Allows the device user to delete the profile after entering the correct passphrase. A practical example to illustrate this fact better: an iphone is enrolled and the administrator applies the company s security policy for restrictions (disabling FaceTime for example) and WiFi Settings as a profile and protects it with profile protection. The user of the device wants to uninstall the restrictions profile to be able to use FaceTime. To do that the user is required to enter a passcode which he doesn t know (only the Endpoint Protector administrator knows the passphrase). The user could still uninstall the enrollment profile (without a passcode) but if he does that then all of his other profiles and settings are also deleted along with it (e.g. company WiFi settings, etc.). 40

41 Enrolling Mobile Devices ios and OS X Profile Protection Deletion Passphrase The passphrase for deletion of Profiles on ios and OS X devices is, by default, generated randomly if during the invitation/enrollment process the Endpoint Protector Administrator sends the invitation to devices with the Profile Protection option set to Passphrase Required for Removal. The automatically generated passphrase can be found in the Endpoint Protector Reporting and Administration web interface under Mobile Device Management > Enroll Devices > One Time Codes > Uninstall Passphrase (show) After clicking on Show the Passphrase that corresponds to the devices enrollment OTC is shown. In case the device user needs this passphrase, the administrator can give it to the user over the phone for the user to enter when deleting of a profile. The administrator can locate the passphrase after clicking View Invitations Sent and locating the OTC used by the device for enrollment. The Passphrase can also be set by the administrator manually under the option Mobile Device Management > Mobile Devices > Select Device > Manage Device > Profile Removal Policy 41

42 Enrolling Mobile Devices Sending or SMS Enrollment Invitation (ios/os X / Android) Sending or SMS enrollment invitations is made through the option Enroll Devices. Entering and phone numbers requires attention to the correct format and selecting the device type, if known, in this step is preferred because there is less chance that the user will select the wrong option. For ios and OS X devices in the device enrollment step as previously described, it is important to set the Profile Protection settings SMS Enrollment Number Format (ios / Android) When sending SMS enrollment invitations it is essential to send them using the correct number format. The correct number format is: Country code, followed by area code and number, No + or zeroes are required in front of the country code. A country code is ALWAYS required, in case of US or Canadian numbers it is a 1, for Germany it is 49, etc. Note: SMS Enrollment is not available for OS X 42

43 Enrolling Mobile Devices Enrollment Invitation (ios/os X / Android) The device user can receive an enrollment invitation on the actual device and access the provided URL (which already includes the MDM ID and OTC) to enroll the device. Or if the is received with a desktop client, the user can scan the QR Code contained in the (which includes already the MDM ID and OTC) or access the URL by typing it in directly to the browser on the mobile device. Below is an enrollment invitation received by an ios device. In case the invitation is sent to an unknown device type it is important that the user chooses the proper device type from the available link options for ios, OS X and Android devices SMS Enrollment Invitation (ios / Android) The device user should receive an enrollment invitation SMS on the actual device and access the included URL (which includes the MDM ID and OTC) to enroll the device through the native browser of the device. In case of ios it has to be accesses using Safari on the iphone or ipad. Below is an example of an enrollment invitation SMS on an ios device. Note: SMS Enrollment is not available for OS X. 43

44 Enrolling Mobile Devices ios and OS X Mobile Device Enrollment over URL Attention! Enrollment of ios devices should be done through the Safari browser on your ios device or the ios EPP MDM app from the App Store. Using other web browsers to enroll your ios device is not supported. The enrollment of an ios or OS X device requires a working internet connection (Wi-Fi or 4G/3G/2G). A 3G data connection is recommended for mobile devices. This way the communication with the Apple Servers can be performed and the information about the mobile device can be further transmitted to the Endpoint Protector Appliance/Server. Once the user has received the invitation and clicked on the embedded link, a confirmation page will be displayed in their browser, auto-filled with the MDM ID and OTC keys. After clicking on the Connect button, the user receives an Endpoint Protector profile for download, which must be further installed on his mobile device. 44

45 Enrolling Mobile Devices The user has to click on Endpoint Protector Profile to continue. The Profile has been generated at this step and is ready for installation. Note: The profile is only valid for two (2) hours. If the enrollment process is interrupted for more than two hours then the enrollment process has to be repeated from the start. Next, the user must click on the Install button to install the Endpoint Protector Profile. In case the ios or OS X device already has a passcode/password set to access the device, the user is asked to enter the passcode/password in order to confirm installation. Once the Endpoint Protector Profile is successfully installed, the mobile device will be displayed inside the Mobile Devices List in the Endpoint Protector Web based Reporting & Administration Interface. It is now available for the administrator to manage. 45

46 Enrolling Mobile Devices ios Mobile Device Enrollment through EPP MDM App To enroll using the EPP MDM ios app from the Apple App Store, the user has to install the app on the ios Device. After installing the EPP MDM ios app (as described in section 5.5 Installing the EPP MDM ios App on p.27) the user has to click Query enrollment status. The app will check whether the ios device is already enrolled with Endpoint Protector Mobile Device Management. If the device is not enrolled yet then the following message will appear The device doesn t appear to be enrolled. If the device is enrolled already, it will appear as Device enrolled. Device not enrolled yet Device is already enrolled 46

47 Enrolling Mobile Devices In case the device is not enrolled yet, click Enroll Device to continue. Provide the MDM ID (MDM ID is located as described in section 7.2 Mobile Device Enrollment on p.38) and the OTC (One Time Code) that is provided by the Endpoint Protector Administrator and click Connect. After a device is successfully enrolled, the Device enrolled status displays the MDM ID (Server ID) and OTC used along with the date when the device was enrolled. 47

48 Enrolling Mobile Devices Android Device Enrollment To enroll an Android mobile device, a Google Account must have been previously setup by the user on the device. This is usually done when the user receives a new device and starts using it. Additionally, an internet connection is mandatory for communication between Endpoint Protector Appliance and the Android device. At least a 3G data connection is recommended to allow communication with Google and Endpoint Protector Appliance and the transmission of mobile device information. Once the user has received the invitation and clicked on the included link, a confirmation page will be displayed in his browser, auto-filled with the MDM ID and OTC keys. These steps are described in detail in section 6.4 Install EPP Client App on Android and Enrolling Android Device on p Bulk Enrollment Bulk enrollment allows the administrator to send enrollment invitations to a large number of devices at the same time, through a contacts list. A contacts list can be imported from an.xls file or can be created in the Paste Contacts section. 48

49 Enrolling Mobile Devices It is possible to paste up to 500 contacts at once. The required format is: name, separated with semicolon (;) the , separated with semicolon (;) the telephone number (e.g. John Smith ; john@company. com ; ). Please note that a Bulk Enrollment.xls sample file with a few examples inside is available for download. Regardless of the way the contacts list is created, the mobile device type and profile protection must be selected, otherwise an incorrect enrollment link may be sent. Choose Unknown for Select Mobile Device Type, if the devices to which the invitations will be sent are not just for one operating system (ios, OS X or Android). The added contacts will be available in the Results section. To add the selected contacts to the sending queue click on Add To Sending Queue button. 49

50 Enrolling Mobile Devices In case both an and a telephone number is given, the enrollment invitation will be sent via . Sending all invitations may take up to one hour, depending on the number of selected contacts. To view the pending enrollments, click on the Check Sending Queue link. Note: Contacts to which invitations were already sent will no longer be available in this interface. 50

51 Managing Mobile Devices 8. Managing Mobile Devices A list of enrolled mobile devices and their status is available under Mobile Device Management -> Mobile Devices. To manage a specific device, select it from the list by right-clicking on the device name and choose one of the available actions: Manage Device (edit) - The Manage Device option allows the Administrator to manage an already enrolled device individually and enforce different settings to the device specifically for the selected device. Hide/Show Device - The Hide option will remove the device from the list without deleting the device history or uninstalling / unmanaging the device. A hidden device can be added again to the list of mobile devices by selecting the Show Hidden Devices > Yes > Apply Filter option from the available Filter option. Delete Device - The Delete option once selected by the Administrator will delete a device and the corresponding history and logs from Endpoint Protector Appliance. We recommend not to Delete a device not before it was unmanaged. To unmanage a device, please check the chapter 15 Unmanage a Mobile Device / Uninstall App on p.115 in this manual. Note: We recommend using the Hide option instead of deleting the mobile device in order to keep the mobile device history for future auditing. 51

52 Managing Mobile Devices 8.1 Mobile Device Status In the Status column, the current mobile device status is shown if known by Endpoint Protector. Registered The device is currently managed and Endpoint Protector MDM can communicate with the device. Applies to both ios and Android devices. MobileProfileRemoved The device is no longer managed. Either the device user has directly removed the Enrollment Profile from the device, or the Endpoint Protector Administrator has remotely removed the Enrollment Profile from the device to unmanage it. Applies to ios devices. DeviceAdminDisabled The device is no longer managed. Either the device user has directly removed the EPP Client app from the device, or the Endpoint Protector Administrator has remotely removed the EPP Client app from the device to unmanage it. Last Seen - The time and date when the device last communicated with the Endpoint Protector MDM. Selecting the Manage Device option for a mobile device will open the Manage Device page, containing different options to manage the selected device and to view information about it 52

53 Managing Mobile Devices The main three rows are the following: Device Information: displays all important device related details from mobile device name, model, type and OS to carrier related details such as carrier name, user phone number and user name. Not all information will be available all the time since the information available depends on the device and the operating system. Locate Device: displays on the map the previous and the current location of the device at the time of the last request. By selecting the Update Location option, the current location will be displayed on the map, while the Location History option will allow the Administrator to view the previous locations of the mobile device. For ios only the current location is available of the device. For Android all location options are available, while for OS X there is no location information available. Please remember, ios and Android both require the EPP MDM app to be installed on the device to obtain location information. Device Management Tabs: includes separate tabs containing the available MDM options for remote device and data managing. Detailed Features are described in the following paragraphs. A status bullet is displayed for each of the available Mobile Device Management options, indicating the returned result of a selected/executed operation: Red indicates that the requested operation has failed. Green indicates that the requested operation was successfully performed. Yellow indicates that the requested operation is in pending mode. A practical example is when you click on Refresh Device Details. The bullet will turn yellow and remain yellow for a few seconds until the request has been sent to the device and the device has answered to the Endpoint Protector Appliance. Then the status is changed to green and in this case the updated device details can be viewed. Note: Due to the differences existing between the ios, OS X and Android platforms, some of the MDM features might not be available for all operating systems. 53

54 Managing Mobile Devices Available Options The table below shows the available MDM options for Android and ios mobile Devices. More options will be made available with each version update. Tab MDM Option Description OS Support Define the owner of the device: Personal, Device Settings Device Ownership Company or Unknown / / Device Settings Voice Roaming Deactivate the Voice Roaming service for the mobile device (*Carrier dependent) Device Settings Data Roaming Deactivate the Data Roaming service for the mobile device Device Settings Device Location Settings Set additional parameters for the locating option: Location Accuracy Fine & Location Cost Allowed for more accurate mobile device location / Lock / Wipe Lock / Wipe Lock / Wipe Security Policy Security Policy Security Policy Security Policy Security Policy Security Policy Security Policy Security Policy Lock Device Wipe Device Data Wipe SD Card Current Security Policy FileVault 2 Disk Encryption Set Security Policy Ask User To Change Password Clear Password Device Password Password History Password Age Remotely locks a mobile device with or without resetting the user s password / / Remotely deletes all device data. Additionally, the data stored on the SD Card can be deleted as well by checking the Include SD Card option / / Remotely deletes all data stored on the SD Card Displays the security settings applied at that moment / / Encrypts the content of the disk automatically Define additional password settings such as: minimum password length, password quality, max. time to lock, max. number of password retries before / / wipe. Forces the user to define a new password Resets any existing password for the mobile device / / Resets any existing password and allows remotely defining a different password for the mobile device / / Keeps track of the last passwords used and doesn t allow setting them as new passwords Forces the user to define a new password after a certain time period / 54

55 Managing Mobile Devices Security Policy Grace Period Forces the user to define a new password after the grace period is over (counted in minutes) / Manage Device Play Sound on Device Activates a song on the device, which will play for a predefined period of time Manage Device Refresh Device Details Updates the device details displayed under Device Information / / Manage Device Refresh App List Display a list of currently installed apps on the mobile device / / Manage Device Refresh Profile List Display a list of currently set profiles on the mobile device / Manage Device Refresh Google Accounts Display a list of currently set Google accounts on the mobile device Manage Device Refresh Accounts Display a list of all currently set accounts on the mobile device Manage Device Refresh Contacts Display a list of all current contacts saved on the mobile device Installed Apps Installed Apps Shows a list of installed apps after selecting the Refresh Apps List option / / Remove Installed Apps Installed Apps Removes the selected application from the list of installed apps and uninstalls the application from the mobile device Accounts Accounts Shows a list of accounts after selecting the Refresh Accounts / Refresh Google Accounts option Contacts Contacts Shows a list of contacts after selecting the Refresh Contacts option Profiles Profiles Shows a list of set profiles after selecting the Refresh Profile List option / History History Logs all device activity / / 55

56 Manage ios Devices 9. Manage ios Devices For each operating system (ios, OS X and Android) different Device Management features are supported and available. For ios the different management settings are stored as different profiles. One ios device can have multiple profiles stored on it. 56

57 Manage ios Devices 9.1 Security Settings (security Profile) on ios Enforcing the use of a password / passcode is the most important feature on any device, company or individually owned. Protecting access to data on the device is the first step towards protecting your ios devices Password / Passcode Setting on ios Device Mobile Devices > Security Policy > Set Security Policy The following Settings can be applied for the password / passcode settings for an ios device: Simple Value Example Password could be 1221 Alphanumeric Password Example could be 1B3C Min Password Length Minimum number of characters Min Number Of Complex Chars Minimum number of complex characters. Complex characters are for example:!@#$%&* etc. Max Password Age (days) Number of days for which a user can use the same password. After that the user is forced to change their password to a new password. Max Time To Lock (minutes) If an ios device is not in use, the device will automatically lock (request password to access again) after a set number of minutes. Password History When a password is changed, a new password is required. For example, if set to two, it means that when changing the password the user cannot reuse the two previously set passwords. Grace Period (minutes) The time a user has to make a change to the password or to initially set a password after the device receives the security policy. Max Failed Password Retries The number of times a user can enter the wrong password before the device will wipe all data and reset itself. In case of reset, the device wipes all data stored on itself and is reset to the factory default. All data on the device is erased and cannot be recovered. 57

58 Manage ios Devices Clear Passcode (No more password required) Using the option Clear Passcode the current device password will be set to be empty; hence the device can be unlocked without entering a password. This feature can be helpful in case the device has been damaged and a password cannot be entered through the device itself ios Device Hardware Encryption When the password/code for an ios device is set, the ios device is automatically using its built in hardware encryption in order to protect data on the device in case it is lost or stolen. We recommend setting a complex password in the security policy for maximum protection. 58

59 Manage ios Devices 9.2 Restrictions (Restrictions Profile) on ios Mobile Devices > Security Policy > Set Restriction Policy In order to use an ios device according to a company policy, the Endpoint Protector Administrator can choose what options / features to allow to be used on the ios device or to be disabled. Disabling an option / feature will result in the option / feature being disabled from the ios device. A practical example would be for the Administrator to disable the use of FaceTime. After the restriction policy is received by the ios device, the FaceTime app icon and all FaceTime related options under Settings are removed (see screenshots below). The ios device user has no option anymore to access or use the FaceTime feature. FaceTime disabled by policy FaceTime enabled without policy 59

60 Manage ios Devices Restricting ios Features The following ios features can be restricted: Allow installing apps Allow Siri Allow Siri while device locked Allow use of camera Allow FaceTime Allow screen capture (i.e. holding home button and ON/OFF button to capture screen) Allow Passbook while the device is locked Allow sync while roaming Allow voice dialing Allow In-App Purchase Require itunes Store password Allow multiplayer gaming Allow adding Game Center friends Restricting ios Applications The following Applications can be restricted: Restrict YouTube App (native ios YouTube) Since YouTube is not part of ios 6 anymore, this feature is only supported for ios 4 and ios 5. Allow itunes Allow Safari Allow Safari Auto Fill Allow javascript on Safari Allow popups on Safari Safari fraud warning icloud restrictions / Photo stream restrictions icloud is a service where almost all data on an ios device is uploaded to Apple Servers. Some companies may choose to restrict the use of icloud due to regulatory requirements, compliance requirements, data protection concerns or simply privacy concerns. Allow icloud backup Allow icloud document sync Allow photo stream Allow shared photo streams Disallow photo stream can cause loss of data that was part of photo stream. 60

61 Manage ios Devices Security and Privacy Restrictions Allow sending diagnostic data Allow untrusted TLS certificate Force encrypted backups (when backing up an ios device to a computer) Content Rating Restrictions Allow explicit content ios7 Restrictions Allow fingerprint for unlock Allow Lock Screen Control Center Allow Lock Screen Notifications Allow Lock Screen Today View Allow managed docs in unmanaged Apps Allow unmanaged docs in managed Apps Allow OTA PKI updates Limit ad tracking Supervised Device Restrictions Allow AirDrop Allow Account Modification Allow App Cellular Data Changes Allow User Generated Siri Content Allow changes to Find My Friends Allow Host Pairing Allow ibookstore Allow Game center Allow imessage Allow App Removal 61

62 Manage ios Devices 9.3 Remote ios Lock of Device Mobile Devices > Lock / Wipe > Lock Device The ios device can be remotely locked. Clicking Lock will remotely lock the device screen and require a successful password entry to unlock the screen. The current password is kept in case the device is remotely locked. Remotely locking a device also works in case of a device that has a SIM card and the SIM card has been removed from the device. As long as the device has a working internet connection, in this case over Wi-Fi, the remote locking of the device will still work as long as the lock command can reach the device. On supervised ios 7 devices, it is possible to show a message and a phone number when locking the screen. For the message and phone number to appear, the device must have a password already set. 62

63 Manage ios Devices 9.4 Remote ios Device Wipe (Device Nuke) Mobile Devices > Lock / Wipe > Wipe Device Data The ios device can be remotely wiped. A remote wipe will erase all data on the device and reset the device to the factory default settings. To remotely wipe a device click Wipe and a confirmation message will ask if you are sure you want to remotely wipe the device before proceeding. After a remote wipe the device is unmanaged. No connection between the ios device and Endpoint Protector exists after the remote wipe. The remote wipe of a device also works if a device has a SIM card and the SIM card has been removed from the device. As long as the device has a working internet connection, in this case over Wi-Fi, the remote wipe of the device will still work as long as the wipe command can reach the device. Note: All data on the device will be permanently lost. It cannot be recovered after a remote wipe. Use this feature with caution and only as a last resort. 9.5 ios Disable Device Password / Passcode Mobile Devices > Security Policy > Clear Password (No more password required) The Clear Password (No more password required) option will disable the password / passcode requirement for the ios device. Unlocking the device screen will be possible without a password entry. 63

64 Manage ios Devices 9.6 Device Ownership Mobile Devices > Device Settings > Device Ownership The Device Ownership option can be set to who is the rightful owner of a device. Set it to Company if the company has purchased the device for the user, or to Personal if the user has purchased the device and uses it for business purposes. After a device is enrolled the default Device Ownership setting is Unknown. 9.7 Voice Roaming on ios Mobile Devices > Device Settings > Voice Roaming The Voice Roaming option can be set to allow a device to have voice roaming enabled while outside of range of the default cellular network. This setting can also be in some cases dependent on the cellular network provider. It may be required, depending on the cellular subscription, if voice roaming has to be activated for the subscription before it can be enabled or disabled through Endpoint Protector. 64

65 Manage ios Devices 9.8 Data Roaming on ios Mobile Devices > Device Settings > Data Roaming The Data Roaming option can be set to allow a device to have data roaming enabled while outside of range of the default cellular network. This setting can in some cases also be dependent on the cellular network provider. It might be required depending on the cellular subscription if data roaming has to be activated first for the subscription before it can be enabled or disabled through Endpoint Protector MDM. 9.9 Profile Removal Policy for ios Devices Mobile Devices > Manage Device > Profile Removal Policy As described in section ios and OS X Profile Protection Deletion Passphrase on p.41, profiles (settings) on an ios Device can be protected with a passphrase. With this option, the passphrase can be changed to be a different one than the one automatically generated and associated with the OTC. For the full description of this option please see section ios and OS X Profile Protection Deletion Passphrase on p

66 Manage ios Devices 9.10 Refresh Device Details for ios Mobile Devices > Manage Device > Refresh Device Details This function will ask the ios device for its latest details and display them in the Mobile Device Information section Refresh App List for ios Mobile Devices > Manage Device > Refresh App List Clicking Get Application List will ask the ios device for a list of all the apps installed on the ios device. The list of all installed apps is shown in Endpoint Protector MDM at Mobile Devices > Installed Apps. If the user installs a new application, the list of installed apps will be updated the next time that the administrator requests the list of apps by clicking the Get Application List button. 66

67 Manage ios Devices 9.12 Installed Apps on ios Mobile Devices > Installed Apps The List of Apps installed on the ios device lets the Administrator see what apps users have installed on their devices. The list of apps installed on a device can be requested from the ios device and updated though the Get Application List option as described in section 9.11 Refresh App List for ios on p.66. Installed apps on managed ios devices can be pushed, uninstalled and managed in different ways as described in the chapter 12 Mobile Application Management (MAM) for ios on p Refresh Profile List on ios Mobile Devices > Manage Device > Refresh Profile List The Profile List of an ios device will show you what profiles are currently installed on the device. The list of installed profiles is shown here: Mobile Devices > Profiles 67

68 Manage ios Devices 9.14 Profiles on ios Devices Information Mobile Devices > Profiles The profiles installed on an ios Device are listed in the Profiles tab. The profiles installed on an ios Device are always the enrollment profile and possible restrictions or other profiles. The type of profile is shown in the Profile Description column Remove Profile from ios device Mobile Devices > Manage Device > Refresh Profile List From here, the Endpoint Protector Administrator can remove a profile by clicking on Remove Profile action. If a profile, e.g. a Restriction Profile is removed, the associated restrictions from the ios device are removed. In case the Administrator wants to unmanage a device, the Enrollment Profile needs to be removed. After removing the enrollment profile the device is no loger managed. 68

69 Manage ios Devices 9.15 Manage Wifi on ios Mobile Devices > Manage WiFi The Endpoint Protector Administrator can apply wireless network (WiFi) settings to an ios device. This can be used for ios devices to automatically connect to a WiFi access point without having to manually add the settings on the device Wipe Wi-fi Settings Wi-Fi Profile can be removed to wipe company Wi-Fi Settings while personal Wi-Fi content remains untouched. 69

70 Manage ios Devices 9.16 Manage Mail on ios Mobile Devices > Manage Mail The Endpoint Protector Administrator can apply settings to an ios device. This can be used for ios devices to automatically use company accounts and settings without having to manually add the settings on the device Wipe Settings Profile can be removed to wipe company Content and Settings while personal accounts and content remain untouched. 70

71 Manage ios Devices 9.17 Manage VPN on ios Mobile Devices > Manage VPN The Endpoint Protector Administrator can apply VPN settings to an ios device. This can be used for ios devices to automatically deploy and use company VPN settings and policies without having to manually add the settings on the device Manage APN settings on ios The Access Point Name (APN) defines the network path for all cellular data connectivity. You can view or edit the APN for cellular data services on iphone or ipad, if your device uses a SIM card and your carrier allows you to edit the Access Point Name. To change the settings on the target device, complete the required fields. You ll have to provide a name, access point username and password and proxy server if required. Clicking Apply will push the cellular settings to the device. 71

72 Manage ios Devices 9.19 Manage Cellular Settings on Supervised ios 7 devices Cellular data is used for data communication in cellular networks. It doesn t affect your ability to make or receive phone calls or to use Wi-Fi networks for Internet connectivity. To change the settings on the target device, complete the required fields. You ll have to provide a name, the authentication type, access point username and password and proxy server if needed. Clicking Apply will push the cellular settings to the device App Lock on Supervised ios 7 devices The App Lock feature can be used to lock a device so only one application, which will be set from the server, can run on it. This feature is only available on supervised ios 7 devices. If the list of existing applications on the device was never updated on the server, you must click the Get App List button from the Manage Device section as explained in section 9.11 Refresh App List for ios on p.66, otherwise there will be no applications listed in the App Identifier dropdown. However, it is recommended to click Get App List each time before the App Lock feature is used to refresh the available apps. After the device provides a list of available apps, it is possible to set some further options which will define the usability of the application. Clicking the Apply button will enforce the App Lock on the device. 72

73 Manage ios Devices 9.21 History of ios Devices Actions Mobile Devices > History In the History tab, a record of actions sent to an ios device are saved and the corresponding results are shown as well. The result can be: Executed, Error, Failed or Pending Contacts and Accounts Tab on ios Devices Mobile Devices > Contacts Mobile Devices > Accounts The tabs Contacts and Accounts have no functionality associated with them for ios and show No Results. This function is currently only supported for Android devices. 73

74 Manage OSX Devices 10. Manage OSX Devices For each operating system (ios, OS X and Android) different Device Management features are supported and available. For OS X the different management settings are stored as different profiles. One OS X device can have multiple profiles stored on it. 74

75 Manage OSX Devices 10.1 Security Settings (Security Profile) on OS X Enforcing the use of a password / passcode is the most important feature on any company or individually owned device. Protecting access to data on the device is the highest priortiy when protecting your OS X devices Password / Passcode Setting on OS X Device Mobile Devices > Security Policy > Set Password Security Policy The following Settings can be applied for the password / passcode settings for an OS X device: Simple Value Example Password could be 1221 Alphanumeric Password Example could be 1B3D Min Password Length Minimum number of digits Min Number Of Complex Chars Minimum number of complex characters. Complex characters are for example:!@#$%&* etc. Max Password Age (days) Number of days for which a user can use the same password. Afterwards the user is required to change their existing password to a new password. Max Time To Lock (minutes) If the OS X device is not used for a set number of minutes, the device will lock (request password to access again). Password History When a password is changed, a new password is required. For example, if set to two, it means that when changing the password the user cannot reuse the two previously set passwords. Grace Period (minutes) The time a user has to make a change to the password or to initially set a password after the device receives the security policy OS X Device Hardware Encryption When the password/code for an OS X device is set, the OS X device is automatically using its built-in hardware encryption in order to protect data on the device in case it is lost or stolen. We recommend setting a complex password in the security policy in order to have maximum protection. 75

76 Manage OSX Devices 10.2 File Vault 2 Disk Encryption on OS X You can encrypt the contents of you entire drive with FileVault 2 to help keep your data secure using XTS-AES 128-bit encryption. Here are some guidelines on how to use the FileVault 2 Disk Encryption: The first step is to change the File Vault dropdown to On/Enable status. There are a few options that can be selected below. Defer Encryption Defer encryption until the current user of the Mac logs out. Prompt user for missing info - In case the administrator did not set the Password, it will prompt the user to complete, on the device, the missing info. Create a personal recovery key - FileVault will create a personal key that can be used in case the user password on the device is lost or forgotten, and access is needed to the FileVault encryption. Display the recovery key to the user Before starting the encryption, the recovery key will be shown to the user so that the user can save it for future reference. Use Keychain for institutional recovery key- An institutional key will be created and saved at /Library/Keychains/FileVaultMaster.keychain Output Path The location on the device where the personal recovery key will be saved Username Must be an existing user that is already created on the target device Password The password for the user Disk Encryption Status FileVault 2 Disk Encryption also has a Status field where it is possible to find information such as: Encryption Status, whether the Personal Recover Key was defined or not and whether the Institutional Recovery Key was defined or not. 76

77 Manage OSX Devices 10.3 Remote Lock of Device Mobile Devices > Lock / Wipe > Lock Device The OS X device can be remotely locked and a PIN can be set. Clicking Lock will remotely lock the device screen and the user will have to enter the PIN to unlock it. The PIN must be a four (4) digit number Remote OS X Device Wipe (Device Nuke) Mobile Devices > Lock / Wipe > Wipe Device Data An OS X device can be remotely wiped. A remote wipe will erase all data on the device and reset the device to its factory default. To remotely wipe a device click Wipe and a confirmation message will ask to confirm that you want to remotely wipe the device. After a remote wipe the device is unmanaged. No more connection between the OS X device and Endpoint Protector is possible after the remote wipe. The Find My Mac PIN password protects the wiped device. After the device is wiped it will be locked and cannot be used unless the PIN is entered. Note: All data on the device will be permanently lost. It cannot be recovered after a remote wipe. Use this feature with caution and only as a last resort, as all existing user data will be wiped. 77

78 Manage OSX Devices 10.5 Device Ownership Mobile Devices > Device Settings > Device Ownership The Device Ownership option can be set to whoever is the rightful owner of a device. Set it to Company if the company has purchased the device for the user, or to Personal if the user has purchased the device and uses it for business purposes. The default settings after a device is enrolled is Unknown Profile Removal Policy for OS X Devices Mobile Devices > Manage Device > Profile Removal Policy As described in section ios and OS X Profile Protection Deletion Passphrase on p.41, profiles (settings) on an OS X device can be protected with a passphrase. With this option, the passphrase can be changed to be a different one than the one automatically generated and associated with the OTC. For the full description of this option please refer to section ios and OS X Profile Protection Deletion Passphrase on p

79 Manage OSX Devices 10.7 Refresh Device Details for OS X Mobile Devices > Manage Device > Refresh Device Details This function will ask the OS X devices for their latest details and display them in the Mobile Device Information section Refresh App List for OS X Mobile Devices > Manage Device > Refresh App List Clicking Get Application List will ask the OS X device for a list of all the applications installed on the OS X device. The list containing all installed applications will be shown at the Installed Apps section. If the user installs a new application, the list of the installed apps will be updated the next time the administrator requests the list of apps by clicking the Get Application List button. 79

80 Manage OSX Devices 10.9 Installed Apps on OS X Mobile Devices > Installed Apps The List of Apps installed on the OS X device lets the Administrator see what applcations their users have installed on their devices. The list of apps installed on a device can be requested from the OS X device and updated through the Get Application List option as described in section 10.8 Refresh App List for OS X on p Refresh Profile List on OS X Mobile Devices > Manage Device > Refresh Profile List The Profile List of an OS X device will show you what profiles are currently installed on the device. The list of installed profiles is shown at: Mobile Devices > Profiles 80

81 Manage OSX Devices Profiles on OS X Devices Information Mobile Devices > Profiles The profiles installed on an OS X Device are listed in the Profiles tab. There are two types of profiles: the main Enrollment Profile and the Restriction Profiles. The type of profile is shown in the Profile Description column. If a new profile is installed on the device, the list of installed profiles will be updated the next time the administrator requests the list of profiles by clicking the Get Profiles List button as described in section Refresh Profile List on OS X on p Remove Profile from OS X Device From here the Endpoint Protector Administrator can also perform the remove action of a profile by clicking on Remove Profile. If a profile, e.g. a Restriction Profile is removed, the associated restrictions from the ios device are removed. In case the Administrator wants to unmanage a device, the Enrollment Profile needs to be removed. After removing the Enrollment Profile the device is no longer managed. 81

82 Manage OSX Devices Manage WiFi in OS X Mobile Devices > Manage WiFi The Endpoint Protector Administrator can apply wireless network (WiFi) settings to an OS X device. This can be used for OS X devices to automatically connect to a WiFi access point without having to manually add the settings on the device Wipe Wi-fi Settings Wi-Fi Profile can be removed to wipe company Wi-Fi Settings while personal Wi-Fi content remains untouched. 82

83 Manage OSX Devices Manage Mail on OS X Mobile Devices > Manage Mail The Endpoint Protector Administrator can apply settings to an OS X device. This can be done for OS X devices to automatically use company accounts and settings without having to manually add the settings on the device Wipe Settings Profile can be removed to wipe company content and settings while personal accounts and content remain untouched. 83

84 Manage OSX Devices Manage VPN on OS X Mobile Devices > Manage VPN The Endpoint Protector Administrator can apply VPN settings to an OS X device. This can be done for OS X devices to automatically deploy and use company VPN settings and policies without having to manually add the settings on the device History of OS X Devices Actions Mobile Devices > History A record of actions sent to an OS X device are saved in the History tab and the corresponding results are displayed as well. The result can be: Executed, Error, Failed or Pending. 84

85 Manage Android Devices 11. Manage Android Devices For each operating system (ios, OS X and Android) different Device Management features are supported and available. For Android the different management settings are enforced by the EPP Client on the Android device. 85

86 Manage Android Devices 11.1 Security Settings (Security Profile) on Android Enforcing the use of a password / passcode is the most important feature on any company or individually owned device. Protecting access to data on the device is the highest priority when protecting your Android devices. The current Security Policy (if any) will be shown under Current Security Policy Password / Passcode Setting on Android Device Mobile Devices > Security Policy > Set Security Policy The following Settings can be applied for the password / passcode settings for an Android device: Password Quality The following settings can be chosen from: No requirement Any Numeric Alphabetical Alphanumeric Complex Min Password Length Minimum number of digits Max Time To Lock (seconds) If Android device is not used for set number of seconds the device will lock (request password to access again). Max Failed Password Retries The number of times a user can enter a wrong password until the device will wipe all data and reset itself. In case of reset, the device is wiping all user data and is reset to the factory default settings. All data on the device is erased and cannot be recovered. Ask User to change password Checking this option will require the device user to change their current password to a new password. To apply the Password Policy to the device, make the selection and then click Apply. 86

87 Manage Android Devices Device Password Mobile Devices > Security Policy > Device Password The Administrator can set a password and send it to the Android device. This is helpful in case a user has forgotten the device password or the device screen does not accept user input and the device password has to be changed or set to zero. To apply the device password to the device make the selection and click Set Password Android Device Hardware Encryption When the password/passcode for an Android device which has Android Version 4+ is set the Android device is automatically using its built-in hardware encryption to protect data on the device in case it is lost or stolen. We recommend setting a complex password in the security policy for maximum protection. Earlier Android devices with older versions of Android do not offer this functionality. 87

88 Manage Android Devices 11.2 Request Storage Encryption The administrator can request that the Android device s owner/user encrypts the storage of the device by clicking Enable Encryption. A message on the device will request the encryption. The request must be accepted, then the encryption type must be chosen (quick or normal). The encryption can only be started if the following requirements are met: A complex password is set At least 80% battery remains on the device After these requirements are met, the encryption will start and the device cannot be used until encryption is completed. Note: The data on the SD Cards will not be encrypted 88

89 Manage Android Devices 11.3 Remote Android Lock of Device Mobile Devices > Lock / Wipe > Lock Device The Android device can be remotely locked. Clicking Lock will remotely lock the device screen and require a password entry to unlock the screen. The device can be locked while keeping the current password by selecting Lock Device Screen (Keep Current Password). Alternatively it can be locked with a random password by selecting Strong Password Lock (Set Random Password). Remotely locking a device works if a device has a SIM card and the SIM card has been removed from the device. As long as the device has a working internet connection, in this case over Wi-Fi, remote locking of the device will still work as long as the Lock command is able to reach the device. 89

90 Manage Android Devices 11.4 Remote Android Device Wipe (Device Nuke) Mobile Devices > Lock / Wipe > Wipe Device Data The Android device can be remotely wiped. A remote wipe will erase all data on the device and reset the device to its factory default. To remotely wipe a device click Wipe and a confirmation message will ask you to confirm that you want to remotely wipe the device. Additionally to wiping the data on the device, the option Include SD Card can be selected to also wipe any data stored on an SD Card in the device. After a remote wipe the device is unmanaged. There is no connection between the Android device and Endpoint Protector after the remote wipe. The remote wipe of a device also works if a device has a SIM card and the SIM card has been removed from the device. As long as the device has a working internet connection, in this case over Wi-Fi, the remote wipe of the device will still work as long as the wipe command reaches the device. Note: All data on the device will be permanently lost. It cannot be recovered after a remote wipe. Use this feature with caution and only as a last resort Android Remote Wipe of SD-Card Mobile Devices > Lock / Wipe > Wipe SD-Card The SD Card in an Android device can be remotely wiped using this feature. To wipe the SD Card click Wipe SD-Card. 90

91 Manage Android Devices 11.5 Device Ownership Mobile Devices >Device Settings > Device Ownership The Device Ownership option can be set to the rightful owner of a device. Set it to Company if the company has purchased the device for the user, or to Personal if the user has purchased the device and uses it for business purposes. When a device is enrolled the default settings is set as Unknown Android Device Location Settings Mobile Devices >Device Settings > Device Location Settings These settings impact the acuaracy of the location data used to locate an Android device Location Accuracy Fine on Android Leaving the Location Accuracy Fine setting unchecked will mean that it will reply on data from WiFi for triangulation. Checking Location Accuracy Fine will allow the use of GPS data Location Cost Allowed on Android Selecting the setting Location Cost Allowed will cause the device to send location data even if the device is outside of the regular network. 91

92 Manage Android Devices 11.7 Manage Wifi This feature will enable or disable the Wifi on the Android device. Note: Make sure that you have a valid internet connection (other than Wifi), otherwise the communication between the Server and the Android device will not be possible! 11.8 Manage Bluetooth This feature will enable or disable Bluetooth connectivity on the Android device Manage Camera on Android This feature can disable the camera on the Android device. 92

93 Manage Android Devices Play Sound on Device for Android Mobile Devices >Manage Device > Play Sound on Device The Play Sound option will make the Android device play a loud noise in order to locate a misplaced device Refresh Google Accounts for Android Mobile Devices >Manage Device > Refresh Google Accounts Clicking Get Google Accounts will receive a list of Google accounts registered with the Android device. A list of Accounts is displayed under Mobile Devices >Manage Device > Accounts 93

94 Manage Android Devices Refresh Device Details for Android Mobile Devices > Manage Device > Refresh Device Details This function will ask the Android devices for their latest details and display them in the Mobile Device Information section. This function is particularly useful if all device information is not displayed after enrollment Refresh App List for Android Mobile Devices > Manage Device > Refresh App List Clicking Get App List will ask the Android device for a list of all the apps installed on the Android device. The list of all installed Apps is shown in Endpoint Protector MDM at Mobile Devices > Installed Apps 94

95 Manage Android Devices Manage Calendar Events Through this feature it is possible to manage the Calendar Events on an Android device. A list of existing events can be requested by clicking the Get Calendar Info and Get Calendar Events buttons. The administrator will see the events in the Calendar Events section. In the screenshot below we did not click the Get Calendar Info button, so only Calendar Events are listed (note that the Calendar Name field is empty). If we click the Get Calendar Info button afterwards, the Calendar Name field will also be displayed. 95

96 Manage Android Devices Installed Apps on Android Mobile Devices > Installed Apps A List of Apps installed on the Android device lets the Administrator see what apps users have installed on their devices. The list of apps installed on a device can be requested from the Android device and updated though the option Get App List as described in section 11.3 Remote Android Lock of Device on p.89. In future versions of Endpoint Protector MDM, more features for managing apps on Android Devices will be introduced Removing Installed Apps on Android The Endpoint Protector Administrator can send an action to an Android device and ask the device to remove the app from the device. Clicking the Remove App button sends a request to the device. The Android device will now show the user that the device is set to be removed. Mote: The user can oppose removal and simply deny this. In this case the Administrator should send another request for removal. Due to the Android s Operating System, in the current scenario the App cannot be forcefully unistalled. 96

97 Manage Android Devices Get Contacts on Android Mobile Devices > Contacts The Contacts tab lists all contacts that are saved in the address book of an Android device. The Endpoint Protector Administrator can request a list of contacts on the device by clicking Get Contacts under the option Mobile Devices > Manage Devices > Refresh Contacts Get Accounts on Android Mobile Devices > Accounts The Accounts tab lists all accounts used on an Android device. The Endpoint Protector Administrator can request a list of accounts on the device by clicking Get Accounts under the option Mobile Devices > Manage Devices > Refresh Accounts 97

98 Manage Android Devices History of Android Device Actions Mobile Devices > History A record of actions sent to an Android device is saved in the History tab and the corresponding results are shown as well. The result can be: Success, Error, Failed or Pending Manage WiFi, Manage Mail, Profiles on Android Mobile Devices > Manage WiFi Mobile Devices > Manage Mail Mobile Devices > Profiles The Manage WiFi, Manage Mail and Profiles tabs have no functionality associated with them for Android and show No Results. This function is currently only supported for ios devices. 98

99 Mobile Application Management (MAM) for ios 12. Mobile Application Management (MAM) for ios The Mobile Application Management (MAM) feature in Endpoint Protector for ios gives the Endpoint Protector Administrator the ability to push apps from the App Store on managed ios devices. The feature in the current version supports paid and free apps listed on the itunes App Store. (Note: This feature will support not only paid and free apps listed on itunes App Store, but also enterprise apps that are developed in-house ). Mobile apps can be managed under the option: Mobile Device Management > ios App Management 99

100 Mobile Application Management (MAM) for ios 12.1 Adding Apps to your Managed Apps Catalog To add apps, search for the app in the itunes App Store directly from the Endpoint Protector interface Searching for Apps Searching for apps is possible by entering the name of the app or by directly entering the App ID of an app (e.g. the App ID for the EPP MDM ios App is id ). The App ID is stated in the URL of an app when viewing the app details in a web browser (e.g. epp-mdm/id For either type of search, select Using search term or Using itunes App ID Adding Apps to Managed Apps Catalog To add an app to your Managed Apps Catalog, select the app from Search Results and then click Add selected Apps. 100

101 Mobile Application Management (MAM) for ios Adding Enterprise Apps to Managed Apps Catalog You can add apps developed in-house by clicking on the Add Enterprise App button. You will have to enter the required details in the pop-up window. 101

102 Mobile Application Management (MAM) for ios 12.2 Editing App Management Options Managed Apps options can be modified by selecting Edit App. The options for managed Apps are: Remove app when MDM profile is removed - if this management flag is set, then the managed app and all its associated data/content will be removed if the ios device becomes unmanaged, either if the Endpoint Protector administrator unmanages the device or if the device user is unmanaging the device by removing the device enrollment profile. Prevent backup of the app data - if this management flag is set, then the managed apps associated data/content will not be backed up in case the device is synced or backed up with itunes. 102

103 Mobile Application Management (MAM) for ios 12.3 Managed Paid Apps Paid apps require purchasing license keys through the Apple Volume Purchase Program. The licenses (which Apple calls Redemption Codes) can be purchased here: This option is only available for paid apps. In the Endpoint Protector interface select Edit App under the Import Redemption Codes section. After redemption codes have been purchased from Apple they need to be imported through copy/ pasting the redemption codes into the Endpoint Protector interface through: Edit App > Import Redemption Codes After adding the redemption codes, click Save. The saved redemption codes will be listed under Edit App > Redemption Codes 103

104 Mobile Application Management (MAM) for ios All redemption codes show their status either as Available or Used. A Used status means that the code was used when a paid app was pushed to a device which did not alreay have the paid app installed. Additionally the number of total and available (not yet used) redemption codes is shown in the Codes column in the list of Managed ios Apps. In the example below 10/10 means ten of ten codes are available. 104

105 Mobile Application Management (MAM) for ios 12.4 Pushing Apps to ios Devices A list of managed apps is available in the Apps tab when viewing details about any managed ios device. Only apps that have been added to the Managed App Catalog are displayed in this tab. To push an app to a managed device click the the app has been pushed to the device. Push icon. A message will appear confirming that After the app has been pushed to the device, the user is prompted to install the app and to provide the itunes account password associated with the device. Apps can also be pushed from MDM policies Manage Apps tab. 105

106 Mobile Application Management (MAM) for ios Update Managed Apps / Changing Settings In case a newer version of an app is available, you can update it using the same steps as when pushing a new app to a managed device. If an update is pushed, the user will be prompted to update the app. If it is a paid app, no new redemption code is consumed during this process. 106

107 Mobile Application Management (MAM) for ios 12.5 Removing Managed Apps from ios Devices All installed apps on a managed ios device are displayed in the tab Installed Apps. To remove an app, click the Remove icon and the app will be deleted from the managed ios device. When a managed app is removed from a device, the device user is NOT asked to confirm the removal of the app. 107

108 Android Application Management 13. Android Application Management The Mobile Application Management (MAM) feature in Endpoint Protector for Android gives the Endpoint Protector Administrator the power to push apps onto managed Android devices. The feature in the current version supports in-house apps. Mobile apps can be managed under the option Mobile Device Management > Android App Management 108

109 Android Application Management 13.1 Adding Apps to your Managed Apps Catalog To add apps in the Catalog click the Add Android App button and complete the required fields. The administrator must make the application available on the internet if it isn t already, then the corresponding link must be entered in the App Link field. 109

110 Android Application Management 13.2 Editing App Management Options Managed apps can be modified by selecting Edit App or they can be deleted by clicking the Delete button Pushing Apps to Android Devices The list of managed apps is available when viewing the details about any managed Android device in the Apps tab. Only apps that have been added to the Android App Management tab are displayed. To push an app to a managed device click the Push icon. A message will show that the app has been pushed to the device. Multiple applications can be sent by clicking the Push all selected apps button. Apps can also be pushed from Android policy s Manage Apps tab. 110

111 Android Application Management 13.4 Removing Managed Apps from Android Devices All installed apps on an Android device are displayed in the Installed Apps tab. To remove an app click the Remove icon and the app will be deleted from the Android device. When a managed app is removed on the device the device user is not asked to confirm the removal of the app. 111

112 Policy Builder for ios, OSX or Android Devices 14. Policy Builder for ios, OSX or Android Devices The Policy Builder for ios, OS X and Android devices is located under Mobile Device Management > MDM Policies The advantage of using an MDM Policy is that the policy can be changed simultaneously for a large number of devices. 112

113 Policy Builder for ios, OSX or Android Devices 14.1 Create a Policy for ios, OS X or Android Devices To create a new MDM Policy click on Add New and then select which operating System the Policy should apply. Choose between ios, OS X and Android. Give the policy a name and a description that will help you later administering your devices easier. Policies are based on device operating system. Make the settings for the policy you require. Different options which can be set in the policy are available for each operating system. After you made the settings to the Policy click Save. Note: If you select ios7 and newer as your Operating System version but actually the device s operating system is older than ios6, the ios7 Restrictions and Supervised Devices Restrictions won t be sent to the device. 113

114 Policy Builder for ios, OSX or Android Devices 14.2 Assigning Devices to Policy After you have created an MDM Policy, you can assign devices to the policy by selecting them under Policy (OS type) Applies To. You can save your selection of devices by clicking Save. Clicking the Save button does not apply the settings from the policy to the device. You have to click Apply or Save and Apply for the policy to be applied to the devices included in the policy. 114

115 Unmanage a Mobile Device / Uninstall App 15. Unmanage a Mobile Device / Uninstall App In case a mobile device should no longer be remotely managed/controlled, the Endpoint Protector user (depending on rights) and Endpoint Protector Administrator can uninstall / unmanage the mobile device. The uninstall/ unmanage process for Android and ios/ OS X mobile devices is different ios and OS X Device Unmanage by Administrator (over-the-air) To unmanage an ios or OS X device, the Endpoint Protector Enrollment Profile on the ios/os X device has to be removed. The Endpoint Protector Administrator can remove the profile by following the profile removal process described in sections Remove Profile from ios device on p.68 and Remove Profile from OS X Device on p.81. To unmanage a device, it is important that the Endpoint Protector Enrollment Profile is removed. After removing of the Enrollment Profile the device status will change to MobileProfileRemoved as described in section 8.1 Mobile Device Status on p ios Uninstall / Unmanage by User (on Device) To unmanage an ios device, the Endpoint Protector Enrollment Profile on an ios mobile device must be removed. Go to Device Settings > General and select the Endpoint Protector Profile. The next window displayed will contain an option to Remove Endpoint Protector from the mobile device. Note: Although uninstalling an Enrollment Profile can be performed by the user, the Administrator will also be notified about the removal of the Endpoint Protector Enrollment Profile OS X Uninstall / Unmanage by User (on Device) To unmanage an OS X device, the Endpoint Protector Enrollment Profile on an OS X mobile device must be removed. Go to System Preferences > Profiles, select the Endpoint Protector Profile and choose to remove it. Note: Although uninstalling an Enrollment Profile can be performed by the user, the Administrator will also be notified about the removal of the Endpoint Protector Enrollment Profile. 115

116 Unmanage a Mobile Device / Uninstall App 15.2 Uninstall ios EPP MDM app To uninstall the EPP MDM ios app, the user of the ios device can tap and hold the EPP MDM app icon for two seconds and then delete the app by tapping (x) Android EPP Client App Uninstall / Unmanage Android Device To uninstall the EPP Client App on an Android Mobile Device, the user needs to disable the Device Administrator role from Device Settings. To uninstall the EPP Client App follow these steps: 1. Go to Settings on your Android device and select Security. 2. In Security select Device administrators and click on it. 116

117 Unmanage a Mobile Device / Uninstall App 3. Select EPP Device Admin and click Deactivate. 4. A pop-up message will appear saying that the EPP Server will be notified. To continue click OK. A message saying EPP Client Device Admin disabled will appear. 5. Go to the Application menu on your Android device and locate EPP Client in the list of Applications. Click on EPP Client. 117

118 Unmanage a Mobile Device / Uninstall App 6. Click on Force stop. A pop-up message appears. Confirm the force stop by clicking OK. 7. Select Clear data. 8. Click Uninstall and then confirm uninstalling the EPP Client by clicking OK. 118

119 Unmanage a Mobile Device / Uninstall App 9. A message will display Uninstall finished when the EPP Cient has been uninstalled from the Android device. Click OK to complete the process. Note: Although uninstallation can be performed by the user, the Endpoint Protector Appliance will also be notified about the removal of the Android EPP Client App. 119

120 Installing the Root Certificate to Your Internet Browser 16. Installing the Root Certificate to Your Internet Browser 16.1 For Microsoft Internet Explorer Open Internet Explorer and enter the Endpoint Protector Administration and Reporting Tool IP address (i.e. your appliance s static IP Address, e.g. If there is no certificate in your browser, you will be displayed a Certificate Error page like the image below. Continue by clicking Continue to this website (not recommended). Go to the Certificate file you downloaded from the Appliance Setup Wizard > Appliance Server Certificate and install the Certificate. Click the Certificate Error button next to the IE address bar. A pop-up window appears. Click View certificates in that pop-up window. Another pop-up Certificate window appears with three tabs: General, Details and Certification Path. 120

121 Installing the Root Certificate to Your Internet Browser Select the General tab and then click Install Certificate... button or go to Tools > Internet Options > Content > Certificates. From the Certificates list, select Trusted Root Certification Authorities and click on the Import button. 121

122 Installing the Root Certificate to Your Internet Browser A Certificate Import Wizard pops up. Click the Next button. Browse for the Certificate file you downloaded from Appliance Setup Wizard > Appliance Server Certificate. 122

123 Installing the Root Certificate to Your Internet Browser In the Certificate Store window, select the Place all certificates in the following store radio button. Another Certificate Import Wizard pops up. Click the Finish button. 123

124 Installing the Root Certificate to Your Internet Browser A Security Warning window pops up. Click Yes. You have now successfully installed the Certificate. Close the Internet Explorer browser and try accessing the Endpoint Protector Administration and Reporting Tool IP address again. 124

125 Installing the Root Certificate to Your Internet Browser 16.2 For Mozilla Firefox Open the Firefox web browser and enter the Endpoint Protector Administration and Reporting Tool IP address (i.e. your Appliance static IP Address, e.g. From the This Connection is Untrusted screen, choose I Understand the Risks and then click Add Exception. 125

126 Installing the Root Certificate to Your Internet Browser A security Warning window pops up. Click the Get Certificate button and then the Confirm Security Exception button. Close the Firefox web browser and launch it again. 126

127 Terms and Definitions 17. Terms and Definitions Here you can find a list of terms and definitions that are used throughout the user manual Server Related Appliance The Endpoint Protector Appliance which is running the Endpoint Protector Server, Operating System, Databases, etc. Computers PC s, workstations, thin clients, notebooks which have Endpoint Protector Client installed. Devices Known mobile devices, ranging from iphones, ipads and MacBooks to Android Smartphones and tablets. Groups Can be groups of devices, users or computers. Grouping any of these items will significantly help the server administrators to easily manage rights and settings for them. Departments An alternative to Groups for organizing main entities (devices, users or computers), which also involves the administrators of Endpoint Protector. Mobile Device Management (MDM) A set of software and services that allows organizations to closely monitor, manage and secure employees mobile devices regardless of the different mobile service providers and mobile operating systems being used. BYOD Acronym that stands for Bring Your Own Device, which refers to the trend adopted by employees to take their own personal devices to work and directly interface to the corporate network. Apple APNs Certificate Apple Push Notification Service certificate signed by Apple that enables the management of ios and OS X devices by IT Administrators using available MDM software. Provisioning The process of providing mobile device users with appropriate access to all necessary enterprise resources and enforcement of company policies. Enrollment For mobile devices, it refers to the setup process for enabling Mobile Device Management for a specific mobile phone or tablet. 127

128 Terms and Definitions 17.2 Client Related Endpoint Can be a Personal Computer, a Workstation you use at the office or a Notebook computer. An endpoint can call and be called. It generates and terminates the information stream. Client - The client user who is logged in on a computer and who facilitates the transaction of data. Rights Applies to computers, devices, groups, users and global rights; rights are privileges that any of these items may or may not possess. Online computers PC s, Workstations and/or Notebooks which have the Endpoint Protector Client installed and are currently running and are connected to the Endpoint Protector server. Connected devices Devices which are connected to online computers. Events A list of actions that hold major significance in Endpoint Protector. There are currently 17 events that are monitored by Endpoint Protector: Connected The action of connecting a device to a computer running Endpoint Protector Client. Disconnected The action of safely removing a device from a computer running Endpoint Protector Client. Enabled The action of allowing a device access on specified computer(s), group(s) or under specified user(s). Disabled The action of removing all rights from the device, making it inaccessible and unusable. File delete The action of deleting a file located on a portable device. 128

129 Support 18. Support In case additional help, such as the FAQs or support is required, please visit our support website directly at support.kanguru.com. You can also write an to our Support Department under the Contact Us tab from the Support module. One of our team members will contact you as soon as possible. Even if you do not have a problem but would like to request a feature or just want to leave us with general feedback, we would love to hear from you. Your input is much appreciated and we welcome any ideas to make computing with portable devices safe and convenient. 129